Uploaded image for project: 'MongoDB Database Tools'
  1. MongoDB Database Tools
  2. TOOLS-2962

4.4.x TOOLS uses a vulnerable Go version

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Minor - P4
    • Resolution: Gone away
    • None
    • 100.3.1
    • All Tools
    • None

    Description

      Problem Statement/Rationale

      Customer runs container security scan on image and finds critical GO vulnerability

      CVE-2020-28367 | high | 7.50 | go | 1.13.10 | fixed in 1.15.5, 1.14.12 | > 8 months

      Steps to Reproduce

      Twistlock scan on associated Kubernetes operator deployment images

      Expected Results

      Pass with medium and low CVEs

      Actual Results

      CVE-2020-28367 | high | 7.50 | go | 1.13.10 | fixed in 1.15.5, 1.14.12 | > 8 months

      Additional Notes

      This is fixed in the latest MongoDB tools shipping with 5.x. The customer wants to know why we cannot re-compile with better Go version and re-release.

      Attachments

        Activity

          People

            tim.fogarty@mongodb.com Tim Fogarty
            priyo.lahiri@mongodb.com Priyo Lahiri (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: